Programmable devices are well known. In one class of known PLDs, each device has a large number of logic gates, and a user programs the device to assume a particular configuration of those logic gates, frequently using a software tool provided by the manufacturer of the device, with the software tool being executed on a computer having an adapter into which the device is inserted. Early generations of such devices typically used some form of programmable read-only memory (“PROM”) technology to store the configuration data produced by the software tool. In those early devices, the software tool caused the computer to “burn” the pattern into the PROM storage by fusing fusible links. In later generations, the PROM technology may have been erasable programmable read-only memory (“EPROM”) technology, which was not burned, and could be erased (for reprogramming) by exposure to ultraviolet light. Still later generations may have used electrically erasable programmable read-only memory (“EEPROM” or “E2PROM”) technology.
All of those technologies were relatively secure. In order to reprogram a device based on one of those technologies, an unauthorized person would have to gain physical access to the device. It was difficult for someone to substitute different programming—e.g., to alter the functioning of the device without authorization. In the non-erasable devices, it was not possible at all. Even in the erasable devices, substantial effort would have been required.
Later, programmable logic devices that store their configuration data in static random access memory (“SRAM”) storage became available and remain prevalent. Such devices have the advantage of being smaller and faster than the devices based on EPROM technology.
However, SRAM storage is volatile; it does not retain its contents when power is lost. Therefore, programmable logic devices based on SRAM technology are used with nonvolatile storage, to retain the configuration programming data during times that the device is switched off or otherwise not provided with power. Such nonvolatile storage may be provided, for example, in the form of Flash memory, although any form of nonvolatile storage may be used, and it may be either on, or separate from, the device.
Whatever type of nonvolatile storage is used, someone intent on changing the operation of an SRAM-based programmable logic device without authorization could replace or reprogram the nonvolatile storage containing the configuration data, and the device would load the unauthorized configuration on its next power-up event. Moreover, such devices frequently are reconfigurable or partially reconfigurable during normal operation, so it may be possible for someone without authorization to replace the configuration data in the nonvolatile storage and cause a reconfiguration even without a power-up event.
Commonly-assigned U.S. Pat. Nos. 5,768,372 and 5,915,017, each of which is hereby incorporated by reference herein in its respective entirety, describe the encryption of the configuration data stored in the nonvolatile storage and its decryption upon loading into the programmable device, including provision of an indicator to signal to the decryption circuit which of several possible encryption/decryption schemes was used to encrypt the configuration data and therefore should be used to decrypt the configuration data.
In more recent devices, configuration data may be authenticated by adding an authentication tag to the configuration data, where the authentication tag is based on an authentication key that is programmed into the FPGA. For example, the authentication tag could be generated with a NIST HMAC algorithm based on a NIST SHA2 hash function. The device would then use its programmed authentication key and the same algorithm to verify the authentication tag in the configuration data. One problem with this approach is that a sophisticated attacker may be able to extract the HMAC authentication key from the device (e.g., by using a sophisticated probe such as a focused ion beam probe), allowing the attacker to include a valid authentication key in an unauthorized configuration.